CVE•Published 2026-05-14•Modified 2026-05-14•1 article on news•5 live references•NVD data

CVE-2026-44482

Vulnerability data via NVD (ingested)

CVSS v3.1

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-20Improper Input Validation CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-94Improper Control of Generation of Code ('Code Injection')CWE-862Missing Authorization

Description

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.

Timeline

Published 2026-05-14

Modified 2026-05-14

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-44482

Hosts Shodan has explicitly fingerprinted as vulnerable.

More intel sources (5)

Shodan report

vuln:CVE-2026-44482

Country / ASN / product breakdown for the vuln query.

Censys

vulnerabilities.cve_id: CVE-2026-44482

Censys host search filtered to this CVE id.

grep.app

CVE-2026-44482